A world which is which is always targeted by bots and trojans, its very rare to see a worm in action. If Conficker Worm caused mayhem then we expect the newly discovered worm which has been named as Morto to cause some trouble.
Morto Worm, wriggles its way through the systems using the RDP port, a favorite amongst the system admins. Morto, uses the RDP to connect to the remote system and tries scanning the RDP port on the network. It has got a list of default passwords which it uses to enter into the system. Network Shares are available via RDP by using the \\tsclient\{driveletter}, which again points to a data stealing worm.
As of this moment the passwords tried are default passwords but very soon we may see a new variant which exploits the vulnerabilities as mentioned by Microsoft. A few more exploits do exist for RDP which are essentially based on MITM wherein password/keystrokes can be sniffed out, so effectively these modules can also be integrated into the future build of Morto Worm.
The way I look at it is, MITM based attack on an Admin’s PC might end up revealing all the admin login passwords, no need for a keylogger, which now-a-days gets detected almost instantly but as of this moment this is a far-fetched theory.
Second theory is about the cached RDP passwords, though havent yet looked into the cache nor the security with which Microsoft stores its cache but these are some of the footholds which may be used and seems viable as of this moment.
Way back in 2007, NirSoft had released a utility for revealing cached passwords but it doesnt seem to work with the newer version of RDP client as the RDP file doesn’t store the password in the RDP file.
Whatever be the method used or the penetration, this is an interesting worm, opens up new attack vectors and an additional weapon in the arsenal of the hacker.
A world which is which is always targeted by bots and trojans, its very rare to see a worm in action. If Conficker Worm caused mayhem then we expect the newly discovered worm which has been named as Morto to cause some trouble.
Morto Worm, wriggles its way through the systems using the RDP port, a favorite amongst the system admins. Morto, uses the RDP to connect to the remote system and tries scanning the RDP port on the network. It has got a list of default passwords which it uses to enter into the system. Network Shares are available via RDP by using the \\tsclient\{driveletter}, which again points to a data stealing worm.
As of this moment the passwords tried are default passwords but very soon we may see a new variant which exploits the vulnerabilities as mentioned by Microsoft. A few more exploits do exist for RDP which are essentially based on MITM wherein password/keystrokes can be sniffed out, so effectively these modules can also be integrated into the future build of Morto Worm.
The way I look at it is, MITM based attack on an Admin’s PC might end up revealing all the admin login passwords, no need for a keylogger, which now-a-days gets detected almost instantly but as of this moment this is a far-fetched theory.
Second theory is about the cached RDP passwords, though havent yet looked into the cache nor the security with which Microsoft stores its cache but these are some of the footholds which may be used and seems viable as of this moment.
Way back in 2007, NirSoft had released a utility for revealing cached passwords but it doesn’t seem to work with the newer version of RDP client as the RDP file doesn’t store the password in the RDP file.
Whatever be the method used or the penetration, this is an interesting worm, opens up new attack vectors and an additional weapon in the arsenal of the hacker.
